Re: Snort detection engine vulnerability

[Dragos Ruiu <dr () kyx net>]

I've been working on full keyword semantics parsing/checking 
for snortpp, as well as more intelligent keyword ordering for presentation.

A quick improvement will be for me to introduce an option to allow
rule sorting on the basis of the priority keyword in rules in snortpp.
It's on my todo.... in the meanwhile doing some manual rules reordering
to put more important attacks higher in the order will help ameliorate
any perceived deficiency here.

cheers,
--dr


On Mon, 30 Jul 2001, James Hoagland wrote:
> Hello Moritz,
>
> Thanks for bring this up.  I wouldn't call this a vulnerability in 
> Snort though.  Vulnerability implies there is some way to abuse Snort 
> to cause it to do a bad thing (such as stop running).  This is not 
> the case.
>
> I believe you analysis is correct, however my take is different. 
> Someone might more accurately call this a misclassification by Snort. 
> I wouldn't even agree with that label though for two reasons:
>
> + the first match was a valid match per the signature.  So as far as 
> Snort (or any other signature-based IDS) knows, this is an actual 
> exploit.
>
> + match only once is the documented behavior of snort.  Therefore, 
> Snort's reaction is within its established semantics.  Anyone 
> analyzing Snort's alerts needs to do so with respect to its semantics.
>
> I would say, though, that a command line option that people could use 
> to cause Snort to match all rules possible might be a nice feature.
>
> Sincerely,
>
>    Jim
>
> At 2:08 AM +0200 7/31/01, Moritz Jodeit wrote:
> > Hi,
> >
> > I think I found a design flaw in Snort's detection engine.
> > The detection engine checks each package and the first rule that matches,
> > triggers the action specified in the rule. The problem is, that once an action
> > was triggered, no more checks are done on the package. It is possible for
> > someone to put a fake exploit at the beginning of a packet and put the real
> > exploit after the fake one. This way, the fake exploit triggers the rule and
> > the real exploit doesn't get detected.
> >
> > http://snort.protected.host.com/test-cgi/../[insert your favourite 
> > iis exploit]
> >
> > This sample triggers the "WEB-CGI test-cgi access" rule, while the 
> > real exploit
> > doesn't get logged.
> >
> > I sent two emails to roesch () clark net, but didn't get any response, so I send
> > it to the list...
> >
> > --
> > Moritz Jodeit
> > http://www.jodeit.org/
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -- 
> |*   Jim Hoagland, Associate Researcher, Silicon Defense    *|
> |*               hoagland () SiliconDefense com                *|
> |*              http://www.silicondefense.com/              *|
> |*      Silicon Defense - Technical Support for Snort       *|
> |*  Voice: (530) 756-7317              Fax: (530) 756-7297  *|
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
Dragos Ruiu <dr () dursec com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users